<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Defining roles | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'defining-roles.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/defining-roles.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/defining-roles.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/defining-roles.html" rel="nofollow" target="_blank">../en/defining-roles.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="authorization.html">User authorization</a></span>
»
<span class="breadcrumb-node">Defining roles</span>
</div>
<div class="navheader">
<span class="prev">
<a href="built-in-roles.html">« Built-in roles</a>
</span>
<span class="next">
<a href="security-privileges.html">Security privileges »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="defining-roles"></a>Defining roles<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authorization/managing-roles.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>
<p>A role is defined by the following JSON structure:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "run_as": [ ... ], <a id="CO481-1"></a><i class="conum" data-value="1"></i>
  "cluster": [ ... ], <a id="CO481-2"></a><i class="conum" data-value="2"></i>
  "global": { ... }, <a id="CO481-3"></a><i class="conum" data-value="3"></i>
  "indices": [ ... ], <a id="CO481-4"></a><i class="conum" data-value="4"></i>
  "applications": [ ... ] <a id="CO481-5"></a><i class="conum" data-value="5"></i>

}</pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO481-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>A list of usernames the owners of this role can <a class="xref" href="run-as-privilege.html" title="Submitting requests on behalf of other users">impersonate</a>.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO481-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>A list of cluster privileges. These privileges define the
cluster level actions users with this role are able to execute. This field
is optional (missing <code class="literal">cluster</code> privileges effectively mean no cluster level
permissions).</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO481-3"><i class="conum" data-value="3"></i></a></p>
</td>
<td align="left" valign="top">
<p>An object defining global privileges. A global privilege is a form of
cluster privilege that is request sensitive. A standard cluster privilege
makes authorization decisions based solely on the action being executed.
A global privilege also considers the parameters included in the request.
Support for global privileges is currently limited to the management of
application privileges.  This field is optional.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO481-4"><i class="conum" data-value="4"></i></a></p>
</td>
<td align="left" valign="top">
<p>A list of indices permissions entries. This field is optional (missing <code class="literal">indices</code>
privileges effectively mean no index level permissions).</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO481-5"><i class="conum" data-value="5"></i></a></p>
</td>
<td align="left" valign="top">
<p>A list of application privilege entries. This field is optional.</p>
</td>
</tr>
</table>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<a id="valid-role-name"></a>
<p>Role names must be at least 1 and no more than 1024 characters. They can
      contain alphanumeric characters (<code class="literal">a-z</code>, <code class="literal">A-Z</code>, <code class="literal">0-9</code>), spaces,
      punctuation, and printable symbols in the <a href="https://en.wikipedia.org/wiki/Basic_Latin_(Unicode_block)" class="ulink" target="_top">Basic Latin (ASCII) block</a>.
      Leading or trailing whitespace is not allowed.</p>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="roles-indices-priv"></a>Indices Privileges<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authorization/managing-roles.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The following describes the structure of an indices permissions entry:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "names": [ ... ], <a id="CO482-1"></a><i class="conum" data-value="1"></i>
  "privileges": [ ... ], <a id="CO482-2"></a><i class="conum" data-value="2"></i>
  "field_security" : { ... }, <a id="CO482-3"></a><i class="conum" data-value="3"></i>
  "query": "..." <a id="CO482-4"></a><i class="conum" data-value="4"></i>
  "allow_restricted_indices": false <a id="CO482-5"></a><i class="conum" data-value="5"></i>
}</pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO482-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>A list of indices (or index name patterns) to which the permissions in this
entry apply.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO482-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>The index level privileges the owners of the role have on the associated
indices (those indices that are specified in the <code class="literal">names</code> field)</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO482-3"><i class="conum" data-value="3"></i></a></p>
</td>
<td align="left" valign="top">
<p>Specification for document fields the owners of the role have read access to.
See <a class="xref" href="field-and-document-access-control.html" title="Setting up field and document level security">Setting up field and document level security</a> for details.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO482-4"><i class="conum" data-value="4"></i></a></p>
</td>
<td align="left" valign="top">
<p>A search query that defines the documents the owners of the role have read
access to. A document within the associated indices must match this query
in order for it to be accessible by the owners of the role.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO482-5"><i class="conum" data-value="5"></i></a></p>
</td>
<td align="left" valign="top">
<p>Restricted indices are a special category of indices that are used
internally to store configuration data. Only internal system
roles should normally grant privileges over the restricted indices.
<span class="strong strong"><strong>Toggling this flag is most discouraged because it could effectively grant
superuser privileges.</strong></span> If however, for administrative purposes, you need to
create a role with privileges covering restricted indices, you must set
this field to <code class="literal">true</code> (default  is <code class="literal">false</code>), and then the <code class="literal">names</code> field will
cover the restricted indices as well.</p>
</td>
</tr>
</table>
</div>
<div class="tip admon">
<div class="icon"></div>
<div class="admon_content">
<p>When specifying index names, you can use indices and aliases with their full
names or regular expressions that refer to multiple indices.</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Wildcard (default) - simple wildcard matching where <code class="literal">*</code> is a placeholder
for zero or more characters, <code class="literal">?</code> is a placeholder for a single character
and <code class="literal">\</code> may be used as an escape character.
</li>
<li class="listitem">
Regular Expressions - A more powerful syntax for matching more complex
patterns. This regular expression is based on Lucene’s regexp automaton
syntax. To enable this syntax, it must be wrapped within a pair of
forward slashes (<code class="literal">/</code>). Any pattern starting with <code class="literal">/</code> and not ending with
<code class="literal">/</code> is considered to be malformed.
</li>
</ul>
</div>
<p><strong>Example Regular Expressions.</strong></p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">"foo-bar":               # match the literal `foo-bar`
"foo-*":                 # match anything beginning with "foo-"
"logstash-201?-*":       # ? matches any one character
"/.*-201[0-9]-.*/":      # use a regex to match anything containing 2010-2019
"/foo":                  # syntax error - missing final /</pre>
</div>
</div>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="roles-global-priv"></a>Global Privileges<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authorization/managing-roles.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The following describes the structure of a global privileges entry:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "application": {
    "manage": {    <a id="CO483-1"></a><i class="conum" data-value="1"></i>
        "applications": [ ... ] <a id="CO483-2"></a><i class="conum" data-value="2"></i>
    }
  }
}</pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO483-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>The only supported global privilege is the ability to manage application
privileges</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO483-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>The list of application names that may be managed. This list supports
wildcards (e.g. <code class="literal">"myapp-*"</code>) and regular expressions (e.g.
<code class="literal">"/app[0-9]*/"</code>)</p>
</td>
</tr>
</table>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="roles-application-priv"></a>Application Privileges<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authorization/managing-roles.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The following describes the structure of an application privileges entry:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "application": "my_app", <a id="CO484-1"></a><i class="conum" data-value="1"></i>
  "privileges": [ ... ],   <a id="CO484-2"></a><i class="conum" data-value="2"></i>
  "resources": [ ... ]     <a id="CO484-3"></a><i class="conum" data-value="3"></i>
}</pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO484-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>The name of the application.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO484-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>The list of the names of the application privileges to grant to this role.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO484-3"><i class="conum" data-value="3"></i></a></p>
</td>
<td align="left" valign="top">
<p>The resources to which those privileges apply. These are handled in the same
way as index name pattern in <code class="literal">indices</code> permissions. These resources do not
have any special meaning to the Elasticsearch security features.</p>
</td>
</tr>
</table>
</div>
<p>For details about the validation rules for these fields, see the
<a href="security-api-put-privileges.html" class="ulink" target="_top">add application privileges API</a>.</p>
<p>A role may refer to application privileges that do not exist - that is, they
have not yet been defined through the add application privileges API (or they
were defined, but have since been deleted). In this case, the privilege has
no effect, and will not grant any actions in the
<a href="security-api-has-privileges.html" class="ulink" target="_top">has privileges API</a>.</p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="_example_7"></a>Example<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authorization/managing-roles.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The following snippet shows an example definition of a <code class="literal">clicks_admin</code> role:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/role/clicks_admin
{
  "run_as": [ "clicks_watcher_1" ],
  "cluster": [ "monitor" ],
  "indices": [
    {
      "names": [ "events-*" ],
      "privileges": [ "read" ],
      "field_security" : {
        "grant" : [ "category", "@timestamp", "message" ]
      },
      "query": "{\"match\": {\"category\": \"click\"}}"
    }
  ]
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1242.console"></div>
<p>Based on the above definition, users owning the <code class="literal">clicks_admin</code> role can:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Impersonate the <code class="literal">clicks_watcher_1</code> user and execute requests on its behalf.
</li>
<li class="listitem">
Monitor the Elasticsearch cluster
</li>
<li class="listitem">
Read data from all indices prefixed with <code class="literal">events-</code>
</li>
<li class="listitem">
Within these indices, only read the events of the <code class="literal">click</code> category
</li>
<li class="listitem">
Within these document, only read the <code class="literal">category</code>, <code class="literal">@timestamp</code> and <code class="literal">message</code>
fields.
</li>
</ul>
</div>
<div class="tip admon">
<div class="icon"></div>
<div class="admon_content">
<p>For a complete list of available <a class="xref" href="security-privileges.html" title="Security privileges">cluster and indices privileges</a></p>
</div>
</div>
<p>There are two available mechanisms to define roles: using the <em>Role Management APIs</em>
or in local files on the Elasticsearch nodes. You can also implement
custom roles providers.  If you need to integrate with another system to retrieve
user roles, you can build a custom roles provider plugin. For more information,
see <a class="xref" href="custom-roles-authorization.html" title="Customizing roles and authorization">Customizing Roles and Authorization</a>.</p>
<h3>
<a id="roles-management-ui"></a>Role management UI<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authorization/managing-roles.asciidoc">edit</a>
</h3>
<p>You can manage users and roles easily in Kibana. To
manage roles, log in to Kibana and go to <span class="strong strong"><strong>Management / Security / Roles</strong></span>.</p>
<h3>
<a id="roles-management-api"></a>Role management API<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authorization/managing-roles.asciidoc">edit</a>
</h3>
<p>The <em>Role Management APIs</em> enable you to add, update, remove and retrieve roles
dynamically. When you use the APIs to manage roles in the <code class="literal">native</code> realm, the
roles are stored in an internal Elasticsearch index. For more information and examples,
see <a href="security-api.html#security-role-apis" class="ulink" target="_top">role management APIs</a>.</p>
<h3>
<a id="roles-management-file"></a>File-based role management<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authorization/managing-roles.asciidoc">edit</a>
</h3>
<p>Apart from the <em>Role Management APIs</em>, roles can also be defined in local
<code class="literal">roles.yml</code> file located in <code class="literal">ES_PATH_CONF</code>. This is a YAML file where each
role definition is keyed by its name.</p>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>If the same role name is used in the <code class="literal">roles.yml</code> file and through the
<em>Role Management APIs</em>, the role found in the file will be used.</p>
</div>
</div>
<p>While the <em>Role Management APIs</em> is the preferred mechanism to define roles,
using the <code class="literal">roles.yml</code> file becomes useful if you want to define fixed roles that
no one (beside an administrator having physical access to the Elasticsearch nodes)
would be able to change. Please note however, that the <code class="literal">roles.yml</code> file is provided as a
minimal administrative function and is not intended to cover and be used
to define roles for all use cases.</p>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>You cannot view, edit, or remove any roles that are defined in <code class="literal">roles.yml</code> by
using the <a class="xref" href="defining-roles.html#roles-management-ui" title="Role management UI">role management UI</a> or the
<a class="xref" href="defining-roles.html#roles-management-api" title="Role management API">role management APIs</a>.</p>
</div>
</div>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>The <code class="literal">roles.yml</code> file is managed locally by the node and is not globally by the
cluster. This means that with a typical multi-node cluster, the exact same
changes need to be applied on each and every node in the cluster.</p>
<p>A safer approach would be to apply the change on one of the nodes and have the
<code class="literal">roles.yml</code> distributed/copied to all other nodes in the cluster (either
manually or using a configuration management system such as Puppet or Chef).</p>
</div>
</div>
<p>The following snippet shows an example of the <code class="literal">roles.yml</code> file configuration:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">click_admins:
  run_as: [ 'clicks_watcher_1' ]
  cluster: [ 'monitor' ]
  indices:
    - names: [ 'events-*' ]
      privileges: [ 'read' ]
      field_security:
        grant: ['category', '@timestamp', 'message' ]
      query: '{"match": {"category": "click"}}'</pre>
</div>
<p>Elasticsearch continuously monitors the <code class="literal">roles.yml</code> file and automatically picks
up and applies any changes to it.</p>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="built-in-roles.html">« Built-in roles</a>
</span>
<span class="next">
<a href="security-privileges.html">Security privileges »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>